FTP: Still Valuable After All These Years

It's common these days for the focus of technical talk to be on the latest
and greatest services coming down the pike. This is all well and good,
but occasionally it's well worth the time to look at some of the tried-and-true
technology that, while considered old, still provides useful service.
One of the oldest, and also one that's intimately associated with the
Internet and is still particularly useful, is the File Transfer Protocol
or FTP.

For example, at this moment, I'm on holiday (supposedly)
sitting on a pure, white-sand Maui beach sipping
a Mai Tai and watching the waves lap onto the
shore. Because my location and activities, or
lack thereof, doesn't change deadlines (with editors
being the way they are), I'm attempting to make
mine. However, a mitigating factor is in play.
In the pursuit of domestic harmony, I agreed to
leave my laptop behind during the holiday. Knowing
that I'd require some information, before
I left, I placed all the files I might need in
an FTP-accessible directory. Now all I have to
do is visit the local cyber café to obtain
and print anything I may require. Perhaps this
doesn't fulfill the complete spirit of the domestic
arrangement, but the legal requirement remains
intact. This technology (and a gold bracelet)
delivered a workable solution.

The Evolution of FTP
As one of the earlier Internet technologies, FTP is described in several
RFCs that have been successively building as new needs arose during its
implementation. One of the earliest was RFC 141, published in 1971, that
simply states in the opening line, "A file transfer protocol is needed."
Even earlier is RFC 133, which references ideas outlined in RFC 60. From
these Paleolithic beginnings, RFC references build up to RFC 959, which
is the basis for most FTP products today. The latest developments in FTP
are outlined in RFC 2640, published in 1999, which focuses on the internationalization
of FTP (for languages that can't be expressed in the 7-bit ASCII character
set through the use of extended character sets). As you can see, based
upon the sequential nature of RFCs, FTP reaches far back in the history
of networking and continues to hold its own within the pace of contemporary
developments.

As you'd expect, the general FTP architecture is based upon the TCP protocol.
FTP takes advantage of the connection-oriented nature of TCP and rides
on top of the sessions provided. As such, all data transferred between
the client and the server is guaranteed for intact delivery. There is
a UDP version of FTP called trivial FTP (also known as TFTP), that's not
based on connections and authentication, but we're not going to cover
that service here. So what about FTP and Windows 2000?

How Does FTP Play with Win2K?
In Win2K, an FTP server is implemented as a component of the Internet
Information Service. This usually occurs as part of the default installation
of IIS; however, it's possible that FTP hasn't been installed on a particular
machine, even if IIS has been previously installed. If this is the case,
it'll be apparent when you open the Internet Services Manager MMC snap-in.
In the example of the IIS manager shown in Figure 1, the FTP service is
missing. If it were installed, you'd expect to see a "Default FTP
Site" listed.

Figure 1. In Windows
2000, FTP is implemented as a component of
the Internet Information Service. However,
it's possible that FTP hasn't been installed
on a particular machine. If this is the case,
FTP will not appear in the IIS snap-in. (Click
image to view larger version.)

If you try to add a new FTP site, you'll receive a message stating that
you don't have the service installed on the machine. This will send you
to the Add/Remove programs applet in the Control Panel, where you'll select
the change option for the IIS service. When you select the Details button,
you're presented with the various options that are part of the overall
IIS service. To add the FTP service, simply select the File Transfer Protocol
Server by checking the appropriate box (Figure 2).

This will result in the proper files being added to the server and the
basic FTP service installation. Regardless, if you reach this point or
if you're dealing with a default IIS server, the real work of the FTP
site is in the configuration.

Go Configure
When you return to the MMC IIS snap-in, you'll find the FTP service in
its default state. To begin the configuration process, select the Default
FTP site, right-click and select the Properties option to bring up Figure
3.

The description is used to identify the various sites you may choose
to create on this particular server. TCP Port 21 is the well-known assignment
for FTP. Most FTP clients will look for an FTP server on this port. If
you change this number, the client will have to know what port number
you're using in order to make a connection. Some people change this to
build a rudimentary security barrier to protect resources on the FTP server.
This can help with casual lurkers, but anyone serious about trying to
discover if you're running an FTP server can use a port monitor to discover
what port number you've chosen.

Figure 3. Right-clicking
on the Default FTP site will bring up the
Default FTP Site Properties box.

Figure 4. Checking the
Enable Logging box, seen in Figure 3, allows
you to keep a history of the FTP server session
activity.

The "Limited To" connectivity option determines how many users
can establish an FTP session concurrently. If you're not supporting a
large site designed to allow access to many anonymous users, such as a
major software vendor to using FTP to distribute software updates to the
public, you can lower this number to roughly the number of people you
plan to support. This isn't critical, but there's no reason to waste resources.
A more useful configuration on this page is the "Enable Logging"
checkbox. With this selected, you can keep a history of the FTP server
session activity with some of the self-explanatory options shown in Figure
4.

Lock it Down
The next tab among the configuration screens is for determining your FTP
server's security. This tab can be a bit confusing because of the potential
for conflicting options. As you can see in Figure 5, Allow Anonymous Connections
is selected and ready to use the same account that IIS uses for Web access.
These two services are used in different ways, so it's very common and
advisable to create a separate account for the FTP server if you plan
to support anonymous connections. Because the anonymous users will be
presented to the Win2K security subsystem through this account, you can
limit and control the access they may have to the resources on the FTP
server apart from the HTTP server.

The "Allow only anonymous connections" option prevents Win2K accounts
from accessing the FTP server. This is useful because the passwords used
to access the FTP site are passed across the Internet in clear text. If
serious vandals wanted to breach your Win2K security, they could trap
FTP traffic to your site and obtain the account and password information
necessary to complete the task. If you remove the Allow Anonymous Connections
check mark, you'll receive the message in Figure 6.

If you do opt to let individual Win2K accounts access the FTP resource,
you'll have to allow the Log on Locally privilege for these accounts.

Figure 5. If Allow Anonymous
Connections is selected, it'll use the same
account that IIS uses for Web access. These
two services are used in different ways, so
it's very common and advisable to create a
separate account for the FTP server.

Figure 6. If you remove
the Allow Anonymous Connections check mark,
you'll receive a message warning you of the
security danger.

Figure 7. The next tab
is the Messages tab, which is used to communicate
with users, providing welcome and exit messages
and warnings, as needed.

The "Allow IIS to control password" option disables the Password
box and makes any changes in the Active Directory Users and Computers
applet apply to the FTP server as well. Remember that even if you use
Win2K accounts for authentication, anonymous connections will still be
permitted to the FTP server if the Allow Anonymous Connections box is
checked.

The next tab is the Messages tab (Figure 7), which is used—as you can
imagine—to communicate with users during specific circumstances.

The welcome message can be used to present the requisite legal warning
to unwelcome visitors or to simply instruct the visitors of what they
expect to find on the site. The Exit message is self-explanatory, and
the Maximum Connections message is what new potential visitors will see
if the number of users currently connected is greater than the number
configured for the site.

The Home Directory tab (Figure 8) allows you to choose the directory
on the FTP server into which visitors will be dropped when they connect
to the server. You can use a local location or you can even redirect the
user to another server. If you redirect the user, you must configure the
permissions on the other server to support either the anonymous account
or the Win2K account credentials that the user presents.

This redirection is accomplished using the standard UNC that Win2K uses
for file shares. The Directory Listing Style supports the 8.3 DOS names
or the Unix style that's more common on the Web.

Figure 8. The Home Directory
determines where your FTP site visitors will
be dropped when they connect to the server.

Go "Virtual"
The Win2K FTP service allows you to generate what's called a "virtual
server," which lets you create different FTP servers on the same
box. For example, you can have one directory that allows uploads with
one name, and another FTP server pointed to a different directory that
only allows downloads. Each server can be configured to accept different
users and provide different purposes. Figure 9 shows a site for my business
information and another as a location where members of my extended family
can upload and download digital photos. To do this, select the Action
menu, then New | FTP Site. This launches a wizard that creates the new
virtual FTP server. Alternatively, you can just right-click on the server
and choose New | FTP Site.

Figure 9. The Windows
2000 FTP service allows you to create a "virtual
server." Each server can be configured
to accept different users and fulfill different
needs. (Click image to view larger version.)

Figure 10. The Directory
Security tab controls general access to the
FTP site based upon the IP addresses of its
clients.

The final tab, Directory Security (Figure 10), controls general access
to the FTP site based upon the IP addresses of the clients. This is useful
if you know the addresses of the clients that will use the server; but
these days, with so much remote connectivity and dynamic addressing, it's
not quite as useful.

However, if this option is useful for your situation, you can use it
to control whether access is granted or denied based upon the IP address
or a block of IP addresses.

After you've configured the FTP server to suit
your needs, you're ready to start accepting clients.
Of course, you should keep an eye on the server
to make sure it's performing properly and providing
the services in the intended manner. There are
several other ways to remotely connect to a central
machine, but FTP is one of the most simple and
straightforward methods to provide a centralized
repository of files for remote users across the
Internet—including yourself.